ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[#108] Validity Check for Base and Delta Certs (#126)

Browse Source 
* Added methods and placeholders for checking the supply chain for base and delta credentials according to the new TCG spec

Checkstyle changes

Created a new SupplyChainValidation.ValidationType for delta credential attributes. The existing PLATFORM_CREDENTIAL
ValidationType will be used for both base and delta platform credentials from spec 1.1.

* Checkstyle error: trailing spaces
This commit is contained in:
chubtub 2019-05-02 07:15:43 -04:00 committed by Cyrus
parent 74ab4d46b1
commit 86f2cddb22
5 changed files with 103 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -100,6 +100,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
supplyChainAppraiser);
boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
HashMap<PlatformCredential, SupplyChainValidation> credentialMap = new HashMap<>();
PlatformCredential baseCredential = null;
List<SupplyChainValidation> validations = new ArrayList<>();
@ -137,6 +138,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
pc.setDevice(device);
this.certificateManager.update(pc);
credentialMap.put(pc, platformScv);
/*
* This method will be added to PlatformCredential to return whether a given
* object is a base or a delta credential.
*/
/* if (pc.isBase()) {
baseCredential = pc;
}
*/
}
}
}
@ -156,8 +165,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
Iterator<PlatformCredential> it = pcs.iterator();
while (it.hasNext()) {
PlatformCredential pc = it.next();
SupplyChainValidation attributeScv = validatePlatformCredentialAttributes(
SupplyChainValidation attributeScv = null;
if (pc == baseCredential || baseCredential == null) {
attributeScv = validatePlatformCredentialAttributes(
pc, device.getDeviceInfo(), ec);
} else {
attributeScv = validateDeltaPlatformCredentialAttributes(
pc, device.getDeviceInfo(), baseCredential);
}
SupplyChainValidation platformScv = credentialMap.get(pc);
if (platformScv != null) {
@ -288,6 +303,41 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
}
}
private SupplyChainValidation validateDeltaPlatformCredentialAttributes(
final PlatformCredential delta,
final DeviceInfoReport deviceInfoReport,
final PlatformCredential base) {
/*
* Do we need a new ValidationType for deltas?
*/
final SupplyChainValidation.ValidationType validationType =
SupplyChainValidation.ValidationType.DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES;
if (delta == null) {
LOGGER.error("No delta credential to validate");
return buildValidationRecord(validationType,
AppraisalStatus.Status.FAIL, "Platform credential is missing",
null, Level.ERROR);
}
LOGGER.info("Validating platform credential attributes");
AppraisalStatus result = supplyChainCredentialValidator.
validateDeltaPlatformCredentialAttributes(delta, deviceInfoReport, base);
switch (result.getAppStatus()) {
case PASS:
return buildValidationRecord(validationType, AppraisalStatus.Status.PASS,
result.getMessage(), delta, Level.INFO);
case FAIL:
return buildValidationRecord(validationType, AppraisalStatus.Status.FAIL,
result.getMessage(), delta, Level.WARN);
case ERROR:
return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR,
result.getMessage(), delta, Level.ERROR);
default:
return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR,
result.getMessage(), delta, Level.ERROR);
}
}
/**
* Creates a supply chain validation record and logs the validation
* message at the specified log level.

11
HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java
View File

@ -93,6 +93,7 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
// mocked
private SupplyChainPolicy policy;
private PlatformCredential pc;
// private PlatformCredential delta;
private EndorsementCredential ec;
private HashSet<PlatformCredential> pcs;
private Device device;
@ -134,8 +135,13 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
pcs = new HashSet<PlatformCredential>();
pcs.add(pc);
/*
* Mock delta platform credential here
*/
Set<Certificate> resultPcs = new HashSet<>();
resultPcs.add(pc);
//resultPcs.add(delta);
// mock credential retrieval
when(certificateManager.get(any(EndorsementCredential.Selector.class)))
@ -176,6 +182,11 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator)
.validatePlatformCredentialAttributes(eq(pc), any(DeviceInfoReport.class),
any(EndorsementCredential.class));
/*
doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator)
.validateDeltaPlatformCredentialAttributes(eq(delta), any(DeviceInfoReport.class),
any(PlatformCredential.class));
*/
Assert.assertEquals(service.validateSupplyChain(ec, pcs,
device).getOverallValidationResult(), PASS);

9
HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java
View File

@ -27,14 +27,19 @@ public class SupplyChainValidation extends ArchivableEntity {
ENDORSEMENT_CREDENTIAL,
/**
* Validation of a platform credential.
* Validation of a platform credential and also delta platform credentials from spec 1.1.
*/
PLATFORM_CREDENTIAL,
/**
* Validation of a platform credential's attributes.
*/
PLATFORM_CREDENTIAL_ATTRIBUTES
PLATFORM_CREDENTIAL_ATTRIBUTES,
/**
* Validation of a delta platform credential's attributes.
*/
DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES
}
@Column

13
HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java
View File

@ -35,6 +35,19 @@ public interface CredentialValidator {
AppraisalStatus validatePlatformCredentialAttributes(PlatformCredential pc,
DeviceInfoReport deviceInfoReport,
EndorsementCredential ec);
/**
* Checks if the delta credential's attributes are valid.
* @param delta the delta credential to verify
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param base the base credential from the same identity request
* as the delta credential.
* @return the result of the validation.
*/
AppraisalStatus validateDeltaPlatformCredentialAttributes(PlatformCredential delta,
DeviceInfoReport deviceInfoReport,
PlatformCredential base);
/**
* Checks if the endorsement credential is valid.
*

21
HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
View File

@ -251,6 +251,27 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
return validatePlatformCredentialAttributesV1p2(platformCredential, deviceInfoReport);
}
/**
* Checks if the delta credential's attributes are valid.
* @param deltaPlatformCredential the delta credential to verify
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param basePlatformCredential the base credential from the same identity request
* as the delta credential.
* @return the result of the validation.
*/
@Override
public AppraisalStatus validateDeltaPlatformCredentialAttributes(
final PlatformCredential deltaPlatformCredential,
final DeviceInfoReport deviceInfoReport,
final PlatformCredential basePlatformCredential) {
/*
* Code here to check the holder and attribute status fields
*/
return validatePlatformCredentialAttributesV2p0(deltaPlatformCredential, deviceInfoReport);
}
private static AppraisalStatus validatePlatformCredentialAttributesV1p2(
final PlatformCredential platformCredential,
final DeviceInfoReport deviceInfoReport) {